WP-Safety

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Security & Risk Analysis

wordpress.org/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce

Loyalty + Referral + Rewards + Birthdays and Anniversaries + Giveaways + Contests + Competitions + Sweepstakes. Selling on ETSY? Reward points for yo …

700 active installs v4.6.1 PHP + WP 3.0.1+ Updated Mar 12, 2026
black-fridaychristmascontestgiveawaysloyalty
100
A · Safe
CVEs total1
Unpatched0
Last CVEMar 25, 2024
Plugin page Download
Safety Verdict

Is Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Safe to Use in 2026?

Generally Safe

Score 100/100

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Mar 25, 2024Updated 2mo ago
Risk Assessment

The "gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce" plugin exhibits a mixed security posture. On the positive side, it makes good use of prepared statements for SQL queries and has a relatively high percentage of properly escaped output. The absence of critical or high-severity vulnerabilities in its history and static analysis is also a good sign. However, a significant concern arises from its attack surface, with a substantial number of unprotected AJAX handlers and REST API routes. This suggests potential entry points for unauthorized access or manipulation if further security checks are absent or bypassed.

The taint analysis reveals two high-severity flows with unsanitized paths, which is a notable risk. While the plugin has a history of a medium-severity Cross-Site Scripting (XSS) vulnerability, the fact that it is currently unpatched is a significant concern. This history, combined with the identified high-severity taint flows, indicates a recurring pattern of input sanitization weaknesses that require immediate attention. Despite the use of prepared statements and some proper output escaping, the extensive unprotected entry points and the existing medium XSS vulnerability point to areas where robust security practices are not consistently applied, warranting careful consideration and remediation.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • High severity taint flows
  • Medium severity CVE, currently unpatched
  • Flows with unsanitized paths
Vulnerabilities
1 published

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-29798medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gratisfaction <= 4.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2024 Patched in 4.3.5 (8d)
Version History

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Release Timeline

v4.6.1Current
v4.6.0
v4.5.5
v4.5.4
v4.5.3
v4.5.2
v4.5.1
v4.5.0
v4.4.6
v4.4.4
v4.4.3
Code Analysis
Analyzed Mar 16, 2026

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
6 prepared
Unescaped Output
40
173 escaped
Nonce Checks
3
Capability Checks
4
File Operations
3
External Requests
6
Bundled Libraries
0

SQL Query Safety

100% prepared6 total queries

Output Escaping

81% escaped213 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths
set_settings (includes\grwoo-api.php:856)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
20 unprotected

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Attack Surface

Entry Points39
Unprotected20

AJAX Handlers 10

authwp_ajax_get_gr_loyalty_points_blocksgrconnect.php:107
noprivwp_ajax_get_gr_loyalty_points_blocksgrconnect.php:108
authwp_ajax_check_redeem_updategrconnect.php:1678
authwp_ajax_gr_get_cart_detailsgrconnect.php:1679
authwp_ajax_apply_gr_discountgrconnect.php:1680
authwp_ajax_create_accountgrconnect.php:1701
authwp_ajax_check_settingsgrconnect.php:1702
authwp_ajax_check_logingrconnect.php:1703
authwp_ajax_check_autologingrconnect.php:1704
authwp_ajax_wc_points_rewards_apply_discountincludes\grwoo-checkout.php:49

REST API Routes 26

GET/wp-json/grwoo/v1/setSettingsincludes\grwoo-api.php:16
POST/wp-json/grwoo/v1/getuserpointsincludes\grwoo-api.php:25
POST/wp-json/grwoo/v1/redeemuserpointsincludes\grwoo-api.php:32
POST/wp-json/grwoo/v1/cancelRedeemedCouponincludes\grwoo-api.php:39
POST/wp-json/grwoo/v1/getuserrolesincludes\grwoo-api.php:46
POST/wp-json/grwoo/v1/getproductcategoriesincludes\grwoo-api.php:53
POST/wp-json/grwoo/v1/getorderdetailsincludes\grwoo-api.php:60
POST/wp-json/grwoo/v1/getordersincludes\grwoo-api.php:67
POST/wp-json/grwoo/v1/getOrdersByDateRangeincludes\grwoo-api.php:74
POST/wp-json/grwoo/v1/getproductdetailsincludes\grwoo-api.php:81
POST/wp-json/grwoo/v1/getcustomerordersincludes\grwoo-api.php:88
POST/wp-json/grwoo/v1/getversionincludes\grwoo-api.php:95
GET/wp-json/grwoo/v1/getPageincludes\grwoo-api.php:102
GET/wp-json/grwoo/v1/addPageincludes\grwoo-api.php:110
GET/wp-json/grwoo/v1/editPageincludes\grwoo-api.php:118
GET/wp-json/grwoo/v1/deletePageincludes\grwoo-api.php:126
GET/wp-json/grwoo/v1/verifyUserincludes\grwoo-api.php:134
GET/wp-json/grwoo/v1/verifyReviewEnabledincludes\grwoo-api.php:142
GET/wp-json/grwoo/v1/verifyCouponCodeincludes\grwoo-api.php:150
GET/wp-json/grwoo/v1/updateCouponCodeincludes\grwoo-api.php:158
GET/wp-json/grwoo/v1/deleteCouponCodeincludes\grwoo-api.php:166
GET/wp-json/grwoo/v1/resetInstallationincludes\grwoo-api.php:174
GET/wp-json/grwoo/v1/createCouponGRincludes\grwoo-api.php:182
GET/wp-json/grwoo/v1/verifyRestApiTypeincludes\grwoo-api.php:190
POST/wp-json/grwoo/v1/createcustomerincludes\grwoo-api.php:199
POST/wp-json/grwoo/v1/updateCouponAttributesincludes\grwoo-api.php:206

Shortcodes 3

[gr-campaign] grconnect.php:5452
[gr-points-balance] grconnect.php:5453
[tax_amount] includes\grwoo-functions.php:166
WordPress Hooks 60
actionadmin_initgrconnect.php:71
actionadmin_menugrconnect.php:72
actionplugins_loadedgrconnect.php:73
actionwp_enqueue_scriptsgrconnect.php:77
actionplugins_loadedgrconnect.php:83
actionadmin_enqueue_scriptsgrconnect.php:84
actionsave_postgrconnect.php:85
actionafter_switch_themegrconnect.php:86
filterwoocommerce_get_shop_coupon_datagrconnect.php:87
filterwoocommerce_coupon_messagegrconnect.php:88
filterwoocommerce_cart_totals_coupon_labelgrconnect.php:89
filterwoocommerce_coupon_is_validgrconnect.php:90
actionwoocommerce_removed_coupongrconnect.php:93
actioninitgrconnect.php:96
filterquery_varsgrconnect.php:97
actionwoocommerce_account_menu_itemsgrconnect.php:99
actionafter_switch_themegrconnect.php:102
actionrest_api_initgrconnect.php:104
actionupgrader_process_completegrconnect.php:111
filterdokan_ensure_vendor_coupongrconnect.php:517
actionwoocommerce_checkout_order_processedgrconnect.php:1664
actionwoocommerce_order_status_changedgrconnect.php:1666
actionbefore_delete_postgrconnect.php:1667
actionwoocommerce_order_refundedgrconnect.php:1669
actionwoocommerce_created_customergrconnect.php:1670
actionprofile_updategrconnect.php:1671
actionwoocommerce_single_product_summarygrconnect.php:1672
actionwoocommerce_after_add_to_cart_buttongrconnect.php:1673
actionwoocommerce_before_cart_totalsgrconnect.php:1674
actiontemplate_redirectgrconnect.php:1675
actionwoocommerce_before_checkout_formgrconnect.php:1676
actionwoocommerce_cart_calculate_feesgrconnect.php:1677
actionwp_footergrconnect.php:1682
actioncomment_form_beforegrconnect.php:1683
actioncomment_unapproved_reviewgrconnect.php:1684
actioncomment_approved_reviewgrconnect.php:1685
actioncomment_spam_reviewgrconnect.php:1686
actioncomment_trash_reviewgrconnect.php:1687
actionwoocommerce_checkout_processgrconnect.php:1688
actioncomment_postgrconnect.php:4929
actionwpgrconnect.php:4930
actionadmin_noticesgrconnect.php:5460
actionadmin_noticesgrconnect.php:5462
filterwoocommerce_cart_totals_coupon_labelincludes\grwoo-checkout.php:31
actionwoocommerce_cart_loaded_from_sessionincludes\grwoo-checkout.php:33
actionwoocommerce_applied_couponincludes\grwoo-checkout.php:34
actionwoocommerce_before_cartincludes\grwoo-checkout.php:37
actionwoocommerce_before_cartincludes\grwoo-checkout.php:38
actionwoocommerce_before_checkout_formincludes\grwoo-checkout.php:39
actionwoocommerce_before_checkout_formincludes\grwoo-checkout.php:40
actionwoocommerce_thankyouincludes\grwoo-checkout.php:43
actionwpincludes\grwoo-checkout.php:46
actionwoocommerce_removed_couponincludes\grwoo-checkout.php:52
actionwoocommerce_before_add_to_cart_buttonincludes\grwoo-product.php:32
actionwoocommerce_before_add_to_cart_buttonincludes\grwoo-product.php:35
filterwoocommerce_variation_price_htmlincludes\grwoo-product.php:38
filterwoocommerce_variation_sale_price_htmlincludes\grwoo-product.php:39
filterwoocommerce_available_variationincludes\grwoo-product.php:40
filterwoocommerce_show_variation_priceincludes\grwoo-product.php:42
actionwoocommerce_delete_product_transientsincludes\grwoo-product.php:45
Maintenance & Trust

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version
Downloads156K

Community Trust

Rating96/100
Number of ratings205
Active installs700
Alternatives

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Alternatives

Gratisfaction- Contests Giveaways Referral Loyalty Rewards and Birthdays Program

Gratisfaction- Contests Giveaways Referral Loyalty Rewards and Birthdays Program

gratisfaction-social-contests-referral-loyalty-rewards-program-by-appsmav

A
100

All-in-One Loyalty + Giveaways + Contests + Competitions + Referral + Birthdays + Anniversaries App. No Coding. Easy DIY Setup.

40 No CVEs
Social Boost: Giveaways, Instant win and Contests. Grow followers, shares, subscribers, traffic, referrals, sales and more

Social Boost: Giveaways, Instant win and Contests. Grow followers, shares, subscribers, traffic, referrals, sales and more

social-boost

A
100

Run viral giveaways, contests, competitions, sweepstakes, purchase for chance to win, instant wins, refer-a-friend, and boost subscribers, followers, &hellip;

100 No CVEs
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

rafflepress

A
88

The best WordPress giveaway plugin. Grow your email list, website traffic, and social media followers with viral contests, giveaways, and sweepstakes.

30K 11 CVEs
Woobox

Woobox

woobox

A
99

Easily embed your Woobox promotions in WordPress using a simple shortcode.

1K 2 CVEs
Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more

Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more

scratch-win-giveaways-for-website-facebook

A
98

Display a Scratch Card on your website to offer visitors a chance to win prizes. A fun incentive to boost conversions!

200 3 CVEs
Developer Profile

Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program Developer Profile

Apps Mav

4 plugins · 1K total installs

100
trust score
Avg Security Score
100/100
Avg Patch Time
3 days
View full developer profile
Detection Fingerprints

How We Detect Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce/assets/css/gr-styles.css/wp-content/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce/assets/css/gr-frontend.css/wp-content/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce/assets/js/gr-frontend.js/wp-content/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce/assets/js/gr-apply-coupon.js
Script Paths
//cdn.appsmav.com/gr/assets/js/gr-widget-sdk.js
Version Parameters
/wp-content/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce/assets/css/gr-styles.css?ver=/wp-content/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce/assets/css/gr-frontend.css?ver=/wp-content/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce/assets/js/gr-frontend.js?ver=/wp-content/plugins/gratisfaction-all-in-one-loyalty-contests-referral-program-for-woocommerce/assets/js/gr-apply-coupon.js?ver=

HTML / DOM Fingerprints

CSS Classes
gratisfaction-logogr-loyalty-pointsgr-points-formgr-redeem-pointsgr-referral-program-containergr-giveaway-form
HTML Comments
<!-- Appsmav Logo<!-- START WOOC ISRM CODE<!-- END WOOC ISRM CODE<!-- START WOOC GR REFERRAL CODE+3 more
Data Attributes
data-gr-widget-endpointdata-gr-app-iddata-gr-plugin-versiondata-gr-user-iddata-gr-product-id
JS Globals
gr_varsGratisfactionWidget
REST Endpoints
/wp-json/gr-api/v1/get-points/wp-json/gr-api/v1/apply-discount/wp-json/gr-api/v1/redeem-points/wp-json/gr-api/v1/referral-data/wp-json/gr-api/v1/giveaway-entry
Shortcode Output
[gr_loyalty_points][gr_referral_program][gr_giveaway][gr_rewards_history]
FAQ

Frequently Asked Questions about Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program